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Topics 


Architecture of the Model S and Battery Management PREPARE FOR 


System(BMS) 


Performance and Ludicrous timeline " = κ om oo 
saa 
Hardware changes 


Data stored in toolbox 
Firmware changes 
Shunt modification 
Upgrade process 


Failure and what | learned 


Next steps LUDICROUS SPEED!!! 


vr.net 
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Model S Architecture 


Central Information Display (CID): 
Nvidia Tegra based ia sce ο. 
Gateway: a security component, stores 
vehicle configuration, sits between the 


various CAN buses and the CID 


Powertrain (PT) CAN bus, contains the 


BMS, Drive units, charging, thermal 
control and other powertrain related 
controllers 


PT CAN runs at 500 kBit/sec and is a 
standard vehicle CAN bus (differential 
signaling, 11 bit arb ids, etc) 


PT CAN supports UDS standard. 
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BMS Overview 


* TI TMS320C2809 - Main microprocessor 

* Altera CPLD — Hardware backup for TMS320 

* Current Shunt with STM8 , measures current coming from the battery 
* Precharge Resistor, prevents inrush current damage 


* BMB boards on each battery pack, these include bleed resistors to balance 
packs 


All the firmware changes are on the TMS320 


Some settings are changed on the shunt, in addition it has a small physical 
modification 


Full reversing of all the components is an ongoing project, so if you want to 
help, | am lacking in some of the skill areas. 
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BMS with Components 
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Ludicrous History 


P85D announced on Oct 10, 2014 

Ludicrous announced on July 17, 2015 

10K for new buyers, 5K for existing P85D owners 

Upgrade involved new contactors and pyro fuse 

Many performance battery packs would come standard with new components 
They were "ludicrous capable", 

All 100kWh performance battery packs are “ludicrous capable" 


Ludicrous capable means add "performanceaddon 1" to single file, internal.dat on the gateway 
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| Upgraded a Donor Vehicle 
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Pack Dropped 
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Fuse and Contactor Bay 


Shunt and Contactor Close Up 


What about Firmware? 


For this we need to dig into some python 


Tesla makes a diagnostic tool called toolbox, runs on 
windows, uses encrypted and compiled python 
modules. 


The important files are contained as individual plugins 
with the .scramble extension. 


All of the information needed to decrypt the scramble 
files are on a machine that is running toolbox. 


Some of these scramble files include firmware as well 
as many other useful items. 


Once decrypted, we can use Uncompyle6 to give us 
source code 


Tesla left all the source code comments in place. 
Thank you! 


Name 


Ἴ hci-2018.0.6-win32.scramble 

| tbx chademo-2018.0.1-win32.scramble 

| tbx coyote cam-2018.0.1-win32.scramble 

] tbx dev-2018.0.5-win32.scramble 

Π tbx driver assist-2018.0.8-win32.scramble 

'| tbx engineering-2018.0.1-win32.scramble 
[] tbx fw update ext-2018.24.1-win32.scramble 
Ἴ tbx fw update-2018.0.2-win32.scramble 

| | tbx gen2 firmware-2018.0.1-win32.scramble 
] tbx gen2 meta-2018.0.1-win32.scramble 

| ] tbx gen2-2018.36.26-win32.scramble 

 tbx key. pairing-2018.0.4-win32.scramble 

j tbx meta 18 2 23-18.2.23-win32.scramble 


] tbx rest-2018.0.3-win32.scramble 

E tbx restraint-2018.0.2-win32.scramble 

| tbx security-2018.0.4-win32.scramble 

Ἱ tbx service-2018.33.4-win32.scramble 

] tbx steering-2018.0.1-win32.scramble 

i tbx_suspension-2018.0.1-win32.scramble 
[] tbx testing-2018.36.1-win32.scramble 

| ] tbx third party-2018.0.2-win32.scramble 
7] tbx uss-2018.0.1-win32.scramble 


Type 

SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 
SCRAMB 


SCRAMB 


LE Fi 


LE Fi 
LE Fi 
LE Fi 
LE Fi 
LE Fi 
LE Fi 
LE Fi 
LE Fi 
LE Fi 
LE Fi 
LE Fi 
LE Fi 


LE Fi 
LE Fi 
LE Fi 
LE Fi 
LE Fi 
LE Fi 


LE File 


LE File 


LE File 
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Toolbox Uncompyled 


# uncompyle6 version 3.3.2 

# Python bytecode 2.7 (62211) 

# [GCC 5.4.0 20160609] 

# Embedded file name: build\bdist.win32\eqq\vehicle\core\uds\data. py 
# Compiled at: 2017-07-27 11:08:07 

. author  - ‘Eric Hulser' 

. email Ξ- ‘ehulser@teslamotors.com' 
__copyright__ = ‘Copyright Tesla Motors Inc. 2013' 
import logging 

from xqt import QtCore 

from .object import UdsObject 

from . import errors 

log = logging.getLogger( name ) 


class UdsData(UdsObject): 
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Helpful Comments 


$» Compiled at: 201/-0/-26 15:43:06 


Defines the a VehicleTest to change the performance addon config. 
. authors = [ 
‘Otto Chiu'] 
. author  z (' 
. credits 
..copyright . ‘Copyright Tesla Motors Inc. 2015' 
from tbx gen2.testing import Gen2VehicleTest 
import logging 
log = logging.getLogger( name 9) 


,').join( authors ) 
] 


class PerformanceAddonConf ig(Gen2VehicleTest): 


def exec (self): 
First verify that a vehicle can be configured in the desired config. 
For Standard mode, there is no checks; for Ludicrous mode, the vehicle 
needs to be AWD and has a battery pack config that supports 1500A* current discharge. 
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Data Structures — Extract and Binwalk 


from xqt import QtCore 
qt resource data = ‘'\x00\x00\x00\x10<\xb8d\x18\xca\xef\x9c\x95\xcd!\x1c\xbf  \xa1\xbd\xdd\x@0\x@0\ x00\x10<\xb8 


qt resource name = '\x0@\x11\n|+E\x@@t\x@@b\x@Ox\x@@_\x@0q\x@Ge\x0On\x002\xOO_\x0Of\x00i\x@Or\xOOm\x@@w\xe@a\ 
qt resource struct = '\x00\x00\x00\x00\x00\x02\x00\x00\x00\x01\x0O\x@O\ xOOV x0 1N xOOV x OON xOON xOON xO0\ x02N x OO x 


s(): 


QtCore. (1, qt resource struct, qt resource name, qt resource data) 


' ΠΕ) SOUT CES 
QtCore. (1, qt resource struct, qt resource name, qt resource data) 
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Bootloader 


We already know from the 
donor vehicle's config that 
it had a pack id of "57" 


These are the files we need 
from the extracted 
firmware 


Pack id 57 becomes pack id 
70 after the changes 


Changes HWID from 57 to 70 


http://artifacts.teslamotors.com/jenkins-job/bootloaders/git/21c44cbe0713a1beaa105b00cf 
name: 57 Gateway Application 

description: HWID 57 Gateway Application for Shunt Calibration 

filename: firmware/bms/withSecondaryBoot UDSBoot BMS GATEWAY APP HWID-57.hex 
ludicrousable: True 

hwid: 57 

calibrateShunt: True 

linkedPackageName: 57 Updater 


name: 57 Updater 

description: HWID 57 Updater File 

filename: firmware/bms/withSecondaryBoot UDSBoot BMS-R57-CSM UPDATER SVN-68454.hex 
flashBootUpdater: True 

linkedPackageName: 70 Bootloader 

ludicrousable: True 


name: 70 Bootloader 

description: HWID 70 Bootloader 

filename: firmware/bms/withSecondaryBoot UDSBoot BMS-R70-CSM SVN-71214.hex 
changeBootHWID: True 

module: UDS FLASH BOOTLOADER 

linkedPackageName: 70 Application 
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Firmware Upgrade 


All the instructions and files needed for the upgrade 
process were stored in Toolbox files 


DBC files to help understand signals on the PT CAN 
bus, stored in python pickle format 


ODX files that defined how to calibrate the shunt, 
grant security access and upgrade the firmware 


Files that stored calibration data and firmware in 
python pickle format 


Text comments and text data structures that 
offered clues on the process 


4 GW4 ModelS ESP 2.0.pickle 


50148 
S'BMS_maxDisichargeCurrent' 
p224102 

sg149 

g176423 

51159 

Ε 

51103 

(dp224103 
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CAN and UDS 
«STRUCTURE IDz"DLC.TESLA BOOT.BV.TESLA BOOT.STR.SHUNT CAL 


Sitting on top of the CAN network stack is a protocol called IBRATION DATA READ"» 
UDS, or "Unified Diagnostic Services", this protocol can ΒΕ SSHORT-NAME»SHUNT.-CALIBRATION DATA -READc/SHORT-NAME» 
E «LONG-NAME»SHUNT CALIBRATION DATA Read«/LONG-NAME» 
used to help technicians: <BYTE-SIZE>11</BYTE-SIZE> 
: «PARAMS» 
* Diagnose problems <PARAM SEMANTIC="DATA" xsi:type-"VALUE"» 
<SHORT-NAME>SHUNT_HWID</SHORT-NAME> 
* Read values from sensors <LONG-NAME>Shunt HWID</LONG-NAME> 
<BYTE-POSITION>0</BYTE-POSITION> 
«DOP-REF ID-REF-"DLC.TESLA BOOT.BV.TESLA BOOT.DOP.U 
INT. 1BYTE"»«/DOP-REF» 
: : : </PARAM> 
CAN networks use a descriptor file called a DBC file <PARAM SEMANTIC="DATA" xsi: type="VALUE"> 
<SHORT-NAME>CGI1_DATA</SHORT-NAME> 
UDS networks can use a scripting file called ODX or GMD <LONG-NAME>CGI1 Data</LONG-NAME> 
<BYTE-POSITION>1</BYTE-POSITION> 
Used commercial tool Vehicle Spy to assist in the research «DOP-REF ID-REF-"DLC.TESLA BOOT.BV.TESLA BOOT.DOP.U 
INT. 2BYTE"»«/DOP-REF» 
ARBS 7E2 and 202 from BMS identify max current as a static </PARAM> 
wale <PARAM SEMANTIC="DATA" xsi: type="VALUE"> 
«SHORT-NAME»(CAU1) DATA«/SHORT-NAME» 


: : , LONG-NAME»CAUT Data«/LONG-NAME 
232 (BMS), 266 (DI) and 2Ε5 (DIS), identify max power in RN 


watts, which varies based on SOC, temp, and power «DOP-REF ID-REF-"DLC.TESLA BOOT.BV.TESLA BOOT.DOP.U 
recently used 


* Update firmware 


18 RAPID) 


DBC Turns This 


Cnt [Tine she) [m [er [hoepen Ar 
τ | l| [DL 


iiid didddudidudiudiudidi 


πι ΠῚ ES EI E ΠΠ ΠΠ Er m E ΠΠ ππ E E [4 
αι ΒΒ ΒΒ Β ΒΒ: Β ΒΒ ΕΕ 


10.000 
100.006 ms 
100.004 ms 
1.000002 s 
100.238 ms 
100.474 ms 
1.000020 s 

648 us 

99.986 ms 
101.181ms 
101.417 ms 
101.655 ms 

40.006 ms 
100.002 ms 
101.664 ms 
1.000022 s 


HS CAN $102 
HS CAN $202 
HS CAN $212 
HS CAN $218 
HS CAN $222 
HS CAN $232 
HS CAN $242 
HS CAN $246 
HS CAN $248 
HS CAN $252 
HS CAN $262 
HS CAN $272 
HS CAN $2BF 
HS CAN $2C8 
HS CAN $2D2 
HS CAN $302 


on ϱὉ ο ο ο - - σα σι ο tn CO 


00 00 32 A6 64 4C 08 00 
80 9D 1E 98 00 00 00 00 
40 04 70 FF 00 

7D 00 FF 27 FF DF 

00 00 00 00 00 10 

88 26 5E 07 

00 00 00 00 00 00 00 00 
DB 00 F5 03 49 

28 29 00 2F 013100 

00 00 00 00 02 28 00 
00 00 00 00 00 00 00 00 
00 E0 43 FB 00 00 00 00 
FF OF FCFF FF FF E238 
60 BO 03 FF 20 24 SEI 
00 00 00 00 06 00 00 

00 00 [ἴθοο E2300 
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Into This 


p] m] Η RE] B RH Β 
oj ai oio 


Comt [Te bake) (m. [er Biber |abidie..len[Oatbves ek 
[1 — lll Ἢ 


43 1.000973 s 
10.000 ms 
- 10.001053 s 
31 1.000975 s 
43| 


1.001201 s 

4 10.001059 s 

432 100.003 ms 
BMS_maxRegenPower 


^^, BMS maxDischargePower 


η [ΗΠ RJ ΕἸ 


100.003 ms 
10.001053 s 
10.001053 s 

1.000973 s 


BMS energyStatus 382 
BMS hvBusStatus 102 
BMS_iSensorInfo 532 
BMS info 5D2 
BMS kwhCounter 302 
BMS odometerSta... 562 
BMS powerAvailable 232 
98.640 kW [2688] 
18.860kW [75E] 
BMS. ptNm 402 
BMS serialNumberi 542 
BMS  serialNumber2 552 
BMS socStatus 302 


Pp | 
8 


5C 00 00 00 00 00 AO 10 
00 00 32 A6 64 4C 08 00 
00 00 00 00 00 00 00 00 


17 6E 68 00 31DB 6100 
DC D4 45 02 
88 26 5E 07 


00 00 

54 3135 4C 30 3131 
39 37 31 39 00 00 
00 00 [4300 


HS CAN 
HS CAN 
HS CAN 
HS CAN 
HS CAN 
HS CAN 
HS CAN 
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ODX Routines for Shunt Calibration 


-|h e| e A | ?zTre || Æ list | | 


g Setup É$ Results ovo Signals 


UM ™ TESLA BOOT : $22 Read Data By I 
ES om. = (9 TESLA_BOOT : Positive Response 5 
[C] $03 Request Stored Codes Stopped Positive Response from TESLA BOOT 
C] $3E Tester Present Stopped SHUNT HWID = 4 
TE .νωυνίωἳ CGI1_DATA = 38406 
C] $23 Read Memory By Addr Stopped CAU 1 DATA = 38406 
ο... SHUNT. CRC - 12640 
[C] $27 Security Access - Key Stopped SERIAL NUMBER = 2107536 
à B-c o x READ RESULT = Write Success 
ove $22: Read Data By Identifier USDT PCI ($22) : Consecutive Frame 
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Shunt Modification 


Shunt also needed a hardware modification 
Single wire connecting the shunt to the CPLD. 


If this wire remained connected after the firmware update then 
the BMS would generate an alert and refuse to close the 
contactors. 


Discovered ran through the upgrade process on a bench version 
of the components. 


Made a breakout board to monitor the signals from the shunt. 


This also meant that the hardware and firmware both had to be 
updated before the car was driven 
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Upgrade Process 


Had access to garage and lift in Southern California 
Drove there to do upgrade, arrive with low SOC 
Drop pack, do hardware stuff 

Reinstall pack, carefully (image is from borescope) 


Flash BMS with special firmware for shunt 
modification 


Flash BMS to new packlD 


Update internal.dat to add ludicrous and change 
packID 


Redeploy firmware due to changed battery packID 


Drive away and enjoy the ridiculous amount of 
torque? 
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Final Steps 


Using known techniques that | have used before, 
| tried to redeploy the firmware, also tried to 
upgrade since | had access to several versions 


The car failed using every method | tried. 


Had to Tow the car from Rancho Cucamonga to 
Las Vegas so | could continue to work on it. 


Cost me $360 or 3.6 hundred dollars, not great, 
not terrible right? 
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Learned Something Cool 


Gateway uses a file called firmware.rc 


Gateway uses this as a validation check for the 
components 


Calculated during upgrade/redeploy 
When the BMS changed, so did its CRC 


Changed the CRC based on CAN and value from 
"signed metadata map.tsv" 


Final CRC line is a JAMCRC based on overall file 


Car woke up, errors cleared and car could be 
driven. 


Eventually figured out the reason for the earlier 
failure. 


firmware.rc 


\fileFormatVersion 1 
platformType 1 
platformVersion develop/2018.14.2-6-a88808ee6a 
gtw 9acc071b 

bms a0637e09 

bmscpld 93.0.0 

.. (removed for clarity) 
dhrp 3.11.0 

dhfp 3.11.0 

dhrd 3.11.0 

dhfd 3.11.0 

fileCrc 271d96ad 
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Power Before and After Upgrade 


4 2:46.994872 .Debug 1ΗΣ 89 72 8 890000 78 2A AA CB 02 
Before Upgrade BMS iHzDebug 14 BMS 1HZDBG CTR WOT COUNTER [89] 
BMS DRIVE ctrWotCounter 0 [0 
1300 Amps ο -- 
BMS DRIVE ctrWotCurrentLimit 
0 [0] 


After Upgrade BMS Debug iHz 89 7E2 8 890000 5931850000 
BMS_iHzDebug_Id BMS_1HZDBG_CTR_WOT_COUNTER [85] 
1500 Amps BMS_DRIVE_ctrWotCounter o [0] 
Bf BMS DRIVE ctrWotCurrentLimit 
Bt. BMS DRIVE ctrWotDeratingActive = ο [ο] 
1 BMS Debug 1ΗΖ 8A 8 8Α 00 00 00 ΓΕ 91 00 00 


3762 99.895 ms BMS driveLimits 8 EA 5D 6D 9D 9D 09 88 2D 
Rf. BMS minBusVoltage 240.420 V [50ΕΑ] 
Why Lower? Bt. BMS maxBusVoltage 403.010 V [9060] 
BMS maxChargeCurrent 246.10 A [99D] 
AA, BMS maxDischargeCurrent 


Actual Available 


Further Research 


TMS320F2809 is supported in IDA Pro 

ARBS 7E2 and 202 define max current 

Seems possible to increase speed beyond ludicrous, it has been done by others (1000 HP RWD P85) 
Just need to find the variables and "bump them up a bit", also might need to modify DU firmware 
Could be dangerous to do so, ludicrous drain is already 20A/cell or ^6.6C for you RC hobbyists 
Could end up burning out the Drive unit IGBTs or battery pack, or worse, cause a fire. 


Still it would be interesting to reverse engineer, hit me up if you would like to assist, | have a dug a lot 
deeper than the information | am presenting here 


Would like to understand shunt parameters CAU1, CGI1 


Check out Car Hacking Village talk for deep dive into many of these techniques, some analysis of the 
firmware and where we can take this project from here 
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Thank You. 


Email support@rapid7.com or visit http://rapid7.com 


